Archive for August, 2011
Wednesday, August 31st, 2011
According to ZDNet, Google, Microsoft and Mozilla are lining up their defenses against an attack that used a fraudulent digital certificate to trick users into releasing their private information to phony Google.com services.
Google alerted users earlier this week that scammers tried to get between Iranian web users and encrypted Google services using a man-in-the-middle attack, which might have threatened the security of sensitive information, such as login credentials.
So just what did the attack do? It attempted to redirect people to a fake Google services page, which used a fake SSL certificate to appear like it was part of Google.com. For example, you could have written an email using Gmail, which would have been captured by a scammer.
“The people affected were primarily located in Iran,” Heather Adkins, information security manager at Google, said in a blog post. “The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).”
In response to the threat, companies like Google, Mozilla and Nor are revoking the fraudulent certificates, while Microsoft said websites with certificates issued by DigiNotar would not be trusted by Windows Vista and later versions of the operating system.
Vasco, the parent company of DigiNotar, says the problem is the result of a hack of the Dutch certificate authority in July. It appears the hackers had fraudulently issued certificates for a number of domains, including Google.com. The fraud also covered Extended Validation SSL (EVSSL) certificates, which have more stringent issuing guidelines.
The ZDNet article points out that DigiNotar revoked the certificates when it found out about the attack, but did not revoke the particular certificate for Google.com.
“Didn’t DigiNotar think it’s a tad weird that Google would suddenly renew their SSL certificate and decide to do it with a mid-sized Dutch [certificate authority], of all places?” Hypponen said in a blog post. “And when DigiNotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement?”
The hackers were probably looking for information on Gmail, Google Docs, and Google+ users, Hypponen suggested. “It’s likely the government of Iran is using these techniques to monitor local dissidents,” he said.
Popularity: 10% [?]
Wednesday, August 31st, 2011
A new survey from Veriphyr on protected health information (PHI) privacy breaches revealed that 70 percent of those surveyed had suffered one or more breaches within the last 12 months.
The findings show that insiders were responsible for the majority of breaches, with 35 percent looking into medical records of fellow employees and 27 percent accessing records of friends and relatives.
Some additional findings include that only 30 percent of breaches were detected within three days. Once a breach was detected, only 16 percent were resolved in three days.
• 79 percent of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI
• 52 percent stated they did not have adequate tools for monitoring inappropriate access to PHI
Popularity: 1% [?]
Wednesday, August 24th, 2011
According to CNET, McAfee’s newly released Threat Reports reveals that Apple’s iOS is still untouched by malware, while users of Google’s Android platform are 76 percent more likely to encounter malware. This makes Android the susceptible mobile operating system in the world.
McAfee’s Threat Report outlined the issues facing mobile OS developers. It seems as though Apple’s strict stance on iOS apps and games has prevent malware from plaguing its users.
The only attacks on iPhones were those to harm jailbroken phones, which Apple strongly discourages.
Google has a much less strict process when it comes to getting apps and games on its Android platform. As a result, a significant number of malicious software titles have been downloaded via Google’s own Android Marketplace, as well as separately by users.
With 44 cases of malware in the second quarter alone, Android is nearly four times as targeted as the second-place platform, Java ME, with 14 cases.
HP’s WebOS also contained no known cases of malware, joining iOS as the only other unblemished mobile platform, though the reach of WebOS is significantly less than iOS.
Popularity: 4% [?]
Tuesday, August 23rd, 2011
After being criticized for poor privacy practices, Facebook has updated and simplified its privacy settings. Starting Thursday, Facebook’s 750 million users will have the option to specify who can see their photos, comments, or other content every time they add something.
This means you’ll no longer have to search for the privacy settings page to edit who sees your information. It’ll be clear what you’re sharing with your “friends” and easy to make changes on the fly.
The changes also include photos that you’re tagged in, so you don’t have to worry about unflattering pictures being posted to your Wall without your approval. You’ll have the ability to approve every photo you’re tagged in before it’s posted. Of course, the publisher of the photo can still keep it up on his or her own page.
It’s important to note that the privacy option that is now called “everyone” will now be called “public.” If you click “public,” that means anyone who is online can see what you are posting, including strangers. You’ll also be guided to take action by icons. “Public” is represented by a globe; “friends” by a pair of heads.
Get the full scoop on the privacy changes on the Facebook blog page.
Popularity: 1% [?]
Sunday, August 21st, 2011
Spear phishers are continuing to target the personal Gmail accounts of U.S. officials, journalists, and activists. First reported by Google in June, spear phishing attempts have not stopped yet, according to a security researcher who first discovered the attempts earlier this year.
Spear phishing uses bogus emails to trick recipients into giving out their personal details, like home addresses and Gmail passwords.
“I am posting this only to highlight the fact that once compromises happen and are covered in the news, they do not disappear and attackers don’t give up or stop. They continue their business as usual,” wrote Mila Parkour, a D.C.-based security researcher on her Contagio Malware Dump blog, which was reported on by ComputerWorld.
In June Google discovered that a number of its Gmail account user names and passwords of personal accounts belonging to senior government officials, activists, and journalists, had been compromised. The hack appears to have originated from China, although Google did not accuse any individuals or governments of executing the attack.
Parkour showed a sample of a spear-phishing email and its Taiwanese origins, which she received by creating a fake Gmail account and filling it with Google Alerts related to human rights and military issues. The phishing email asked for Parkour’s Gmail login details to activate a report from the Center for a New American Security (CNAS), called “Blinded: The Decline of U.S. Earth Monitoring Capabilities and its Consequences for National Security.”
After collecting her login details, the information was routed to and stored in a compromised server in Houston, Texas. Two hours later, the attackers logged into Parkour’s fake account, and checked her inbox twice a day every day thereafter. The HTML code of the email revealed a sender IP address from Taiwan, and use of the Foxmail email client, which Parkour said is commonly used in Chinese phishing attempts.
If you suspect that a email you received is a phishing attempt, never click on a link or attachment within an email. Always go directly to the sender’s Web site or give them a call.
Popularity: 1% [?]
Sunday, August 21st, 2011
Social media sites are prime targets for fraudsters seeking valuable information on users, according to the latest research by BullGuard, an Internet security company.
The scary part is that the BullGuard study shows that Internet users are often overly complacent about posting personal or potentially sensitive data online. When questioned about various information stored on social networking sites, forums, groups and other interactive services:
• 42 percent of 2,000 consumers surveyed admitted to posting their date of birth
• 18 percent posted their telephone number
• 28 percent opted to have usernames and passwords remembered
• 14 percent did the same for bank details.
When questioned specifically about social networking services such as Facebook and Twitter:
• 36 percent admitted to posting their pets’ names on public pages:
• 24 percent shared children’s names
• 7 percent their address, and
• 11 percent showed off photos of high-value goods such as a car or TV
To make matters worse, over a third of Facebook and Twitter users admit they update their profile to inform people that they are away for the weekend or going on holiday, thereby potentially alerting their absence to thieves.
Without sufficient security measures in place, this type of behavior makes it easy for fraudsters to gather personal details that could lead to identity theft.
“Though this sort of information may seem harmless to share with others, much of it is commonly used as security questions when accessing an online bank or confirming identity over the phone,” says Claus Villumsen, Internet security expert at BullGuard. “It’s also a bad idea to publicize the fact that you will be away for any period of time, especially if the house will then be empty, as this just gives more information to would-be thieves as to your whereabouts.”
By understanding the risks, you can protect yourself. Here are a list of things you can do to ensure you’re not victimized:
• Never friend requests from people you don’t know, or who aren’t easily identifiable from associations with other friends
• Learn about the security measures available on sites like Facebook, and ensure that your posts and photos aren’t available to everyone.
• Strip out any personal details from a profile that don’t really need to be there—for example, pets’ names, addresses, maiden name and date of birth.
Popularity: 1% [?]
Thursday, August 18th, 2011
Most people exercise caution about revealing personal information in a public place or when surfing online. Yet most don’t think twice before posting all kinds of intimate information on social networking sites. In fact, a whopping 74% of social networkers divulge personal information such as their email address, name and birthday. On top of that, 83% of online users download unknown files from other people’s profiles.
Unfortunately, cybercriminals are counting on this lack of caution. They look at user profiles for informationwith which to customize attacks known as “spear phishing.”, For example, a spear phisher may pose as one of your social networking contacts or friends to create phony messages designed to trick you into revealing more personal data, such as your credit card or phone number. Or they may try to lure you into a phony lottery or high school reunion.
Even if you don’t directly post vital personal information like your birth date or Social Security number on your social networking site, you are still at risk. Using information about your home, hobbies, interests, and friends, a cybercriminal could impersonate a friend or family member, or convince you that they have a legitimate need to request your personal or financial data.
Fortunately, social networking can be safe and fun. To minimize the risk of becoming an identity theft victim, here are a few simple rules:
• Limit your circle of contacts. Consider restricting access to your page to a select group of people and setting your profile to private to prevent uninvited members from viewing your personal information.
• Think twice before clicking a link or downloading a file. Scam artists often post links to infected ad banners in their profiles. Avoid opening links or downloads from strangers, and never enter your password or account number unless you’ve verified the site’s authenticity. When in doubt, always call the site owner to confirm.
• Don’t overshare personal information. Identity thieves can easily find enough photos and personal information on social networking sites to steal your identity. Avoid posting your full name, financial data, Social Security number, street address, birth date, and phone number.
TrustedID offers a Facebook privacy feature that alerts you if your personal information is vulnerable. Our exclusive Facebook app monitors your profile to alert you if your sensitive personal information is unprotected and vulnerable to identity thieves.
Popularity: 1% [?]
Monday, August 15th, 2011
According to TG Daily, a new report from Carnegie Mellon suggests that using readily available facial recognition software (technology recently acquired by Google and used heavily in Facebook), cloud computing, and public information.
Alessandro Acquisti, associate professor of information technology and public policy at Carnegie Mellon’s CyLab took snapshots of volunteers and used facial recognition to match them with their public Facebook profiles. In less than three seconds, the system found 10 possible matches, with the correct Facebook profile page among the top results more than 30% of the time.
Acquisti says the study “suggests that the identity of about one-third of subjects walking by the campus building may be inferred in a few seconds combining social-network data, cloud computing and an inexpensive webcam.”
To make matters worse, the study shows that around 27% of the time, the researchers could use information from Facebook to identify the first five digits of a person’s social security number within four attempts.
Acquisti explained, “A person’s face is the veritable link between his or her offline and online identities. When we share tagged photos of ourselves online, it becomes possible for others to link our face to our names in situations where we would normally expect anonymity.”
When it comes to your privacy, it’s always best to protect it any way you can. To protect your privacy on Facebook, change your privacy settings to disable automatic facial recognition. Here’s how:
1. Look to the upper-right-hand corner of your screen and select the Account drop-down menu.
2. Click Privacy Settings.
3. Select the Custom tab on the left-hand side.
4. Select the Customize Settings option.
5. Under “Things others share,” click the Edit Settings button under “Suggest photos of me to friends.”
6. You’ll see a dropdown menu on the right selected as “Enabled.” Click that and change it to Disabled.
To ensure even more privacy on Facebook, TrustedID offers a Facebook privacy feature that alerts you if your personal information is vulnerable. Our exclusive Facebook app monitors your profile to alert you if your sensitive personal information is unprotected and vulnerable to identity thieves.
Popularity: 1% [?]
Tuesday, August 9th, 2011
PC World reports that new research shows that certain apps are storing sensitive data–like passwords, email, and credit card numbers–in plain text on your phone’s memory, which can be easily accessed by hackers.
Some popular apps store sensitive data, such as user names and passwords and credit card information in plain text on your phone’s memory, making this information an easy target for hackers.
A mobile forensics company called viaForensics audited dozens of the most popular apps on both iOS and Android platforms. It found that some of the biggest-name apps–such as Android Mail for Exchange and Hotmail, Foursquare, and Groupon–stored the user’s password and portions of the information that the user accessed through the app, in clear text on the phone’s memory for versions of the apps released in 2011.
With this low level of protection, it wouldn’t be hard for an identity thief to find that data and use it to commit identity theft. Even remote access to your phone to harvest cached data is now possible–the increase in mobile malware on Android phones and jailbroken iOS phones means that insecurities can be easily exploited.
While most apps promise they’ll protect your data and often require passwords, many are not as secure as they need to be. More and more apps unnecessarily store that information on the phone when they don’t have to, and fail to encrypt all of their information when they do have to store the information offline. Also, it’s fairly easy for hackers to download things like the Android software development kit (SDK), which they could use to read data if they got their hands on a stolen phone. For this reason, it’s irresponsible for app creators to expose passwords or sensitive data in the SDK.
Check out the list of 100 apps tested by viaForensics and see how much data they revealed. For example, a third-party download called “Starbucks Cards Manager” stored the user’s entire Starbucks credit card number, expiration date, and CVN (card verification number), in readable memory on the phone.
Here are two quick tips to help protect you against identity theft from your smartphone:
When it comes to banking and financial transactions, bank with authorized apps only. Don’t trust anyone who won’t provide a thorough description of how they encrypt your financial information.
Download from reputable publishers only. If you’re unsure about an app, research the publisher’s name to see if their apps have been downloaded a lot and find out what the reviews say about them.
Popularity: 1% [?]
Sunday, August 7th, 2011
According to the New York Daily News, a Bronx man stole $1 million from JPMorgan Chase by seducing bank tellers. Richard Dames, who calls himself Geovanni Kasanova, was part of a 148-count indictment, which charged an identity theft ring with stealing the identities of 80 victims in a scheme that ran from 2009 to 2011.
The identity theft ring includes two female bank tellers, who were in love with Dames and are now being charged with stealing account holders’ identities for him. Two male bank employees were also recruited to mine bank computers for dates of births, social security numbers, and other personal data of victims. They also copied account holders’ bank signature cards so ring members could imitate a victim’s signature as they opened new accounts.
Dames and two other men are charged with using the data to open credit card and eTrade accounts and make cash withdrawals. They each face up to 25 years in prison.
Popularity: 17% [?]